Thursday, September 07, 2006

To catch a leaker, Hewlett-Packard's chairwoman spied on the home-phone records of its board of directors.

The confrontation at Hewlett-Packard started innocently enough. Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors—not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones. ...

The HP case specifically also sheds another spotlight on the questionable tactics used by security consultants to obtain personal information. HP acknowledged in an internal e-mail sent from its outside counsel to Perkins that it got the paper trail it needed to link the director-leaker to CNET through a controversial practice called “pretexting”; NEWSWEEK obtained a copy of that e-mail. That practice, according to the Federal Trade Commission, involves using “false pretenses” to get another individual’s personal nonpublic information: telephone records, bank and credit-card account numbers, Social Security number and the like. Pretexting is heavily marketed on the Web.

Typically—say in the case of a phone company—pretexters call up and falsely represent themselves as the customer; since companies rarely require passwords, a pretexter may need no more than a home address, account number and heartfelt plea to get the details of an account. According to the Federal Trade Commission’s Web site, pretexters sell the information to individuals who can range from otherwise legitimate private investigators, financial lenders, potential litigants and suspicious spouses to those who might attempt to steal assets or fraudulently obtain credit

Incidentally, one of the most common misconceptions about privacy is that it's merely about trusting the government not to abuse its powers. This case illustrates that when you create vast databases, you have to cross your fingers and hope that there is no one else (such as your employer) with a motive to spy on you.

Update: It's now emerged that HP spied on journalists' telephone calls also. Particularly in the US, there's been media lethargy about privacy issues - hopefully there'll be more coverage of the issues as reporters realise that it may be their ox being gored.